On 28 April 2020, the Belgian Data Protection Authority (BEDPA) fined a company 50,000EUR for appointing its Head of Compliance, Audit and Risk as its Data Protection Officer (DPO).
The BEDPA decision
The BEDPA found that the appointment of the company’s Head of Compliance, Audit and Risk as DPO was negligent and gave rise to a conflict of interest, prohibited by Article 38(6) of the General Data Protection Regulation 2016/679 (GDPR).
The BEDPA looked to the guidelines on DPOs of the European Data Protection Board (EDPB), the independent body comprised of representatives of the national data protection authorities, for what constitutes a conflict of interests. The EDPB guidelines state that a DPO “cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data”.
The BEDPA said that as Head of Compliance, Audit and Risk, the relevant individual was essentially responsible for making decisions about the processing of personal data within those departments. The individual was therefore unable to exercise their functions as DPO independently, given that they would also be expected in their DPO capacity to scrutinise and advise on the decisions taken about the processing of personal data by those departments.
The decision indicates that the BEDPA considers the mere appointment of one person within a company to exercise both the DPO function and any other function which involves responsibility for decisions regarding the processing of personal data to give rise to a conflict of interest. In our view, this is both highly conservative and problematic for any company wishing to make an internal DPO appointment, unless it is prepared to engage someone who has no other management role in the company. The decision is subject to appeal and we would expect that it would have good chances of being overturned if it is appealed. Article 38(6) of the GDPR expressly allows DPOs to undertake other tasks and duties. The EDPB recognises that the question of whether a conflict of interest exists between the role of the DPO and any other tasks and duties assigned to the DPO should be assessed on a case-by-case basis, taking into account the organisational structure of each organisation. It is therefore likely that an organisation that can prove that any additional functions do not give rise to a conflict of interest, can indeed appoint a DPO who fulfils other tasks and duties as Article 38(6) of the GDPR envisages.
The BEDPA is not the only European data protection regulator to have taken a conservative approach with regard to DPO conflicts. In a separate decision, the Hellenic Data Protection Authority (HDPA) recently confirmed that DPOs should not represent their organisations in regulatory investigations before the HDPA. This decision was also based on the need to ensure the independence and autonomy of DPOs. The HDPA’s reasoning was that having DPOs act as representatives of their own organisations in regulatory investigations could give rise to conflicts of interests because internal advice provided by DPOs to their employers is not binding, and therefore expecting DPOs to support their organisations’ decisions (taken on their advice or not) before the HDPA could constitute a conflict of interest.
While it is to be hoped that we will see regulators over time taking a more balanced approach in their rulings on DPO conflicts, all companies and other data controllers who have made an internal DPO appointment should identify the positions and functions that would be incompatible with the role and the activities of their DPOs, document their analysis, and implement internal processes to ensure the separation of functions and responsibilities between the different roles.
Under the GDPR, a DPO is required to be an expert in data protection matters, report directly to the highest level of management within the organisation, and act as the first point of contact for supervisory authorities and individuals whose data is processed by the company.
An alternative to making an internal appointment is of course to engage an external specialist, an approach which is specifically permitted under the GDPR. A number of our clients trust Wiggin and our own “DPO-on-demand” business, Wiggin Data Services, for the provision of expert DPO services on a full-time or part-time as needed basis. For more information on Wiggin Data Services please click here.